Win32/Cridex: Java pushes Cyprus into a Blackhole

[Update: hat tip to Kafeine for pointing out that we cited the wrong CVE number. Now corrected in the text.]

Sadly, Cyprus has been the source of bad news lately. Even sadder, nothing travels faster than bad news, and bad people are all too ready to use bad news to trick their victims into opening bad files. My colleague Aleksandr Matrosov has alerted us to a spammed out message crammed with malicious links. Here’s a screenshot:

Despite the apparently innocuous nature of the links, they actually all go to a site booby-trapped with the Blackhole exploit kit (hxxp://go-my.ru/cyprus_news.html). The page is detected by ESET as a phishing site and users are protected.

The malware uses the latest Java exploit CVE-2013-0431 and we detect the samples as Win32/Cridex.AA and Java/Exploit.Agent.NMK.

Following infection of the victim machine, the victim is redirected to the main BBC news page:

As you see, the story there isn’t quite as dramatic as the spam message implies, but of course the idea is to grab your attention and get you to click on a malicious link.

The malware’s payload is to drop Win32/Cridex (see Virus Radar for a map of Win32/Cridex). We are now on notice that unsolicited emails about the problems in Cyprus are to be treated with extreme caution.